Primavera Database Auditing

Controlling Security II Module (P) Page 1 of 49
Controlling Security
Copyright 2001 © Douglas Wentz, Inc. 1
Module Overview
This module introduces advanced concepts of controlling security in the Oracle 9i
database. Additional security features including enhanced password security and the
assigning of profiles to users will be presented. Additionally, the concepts of auditing
will be presented within this module. This module should be taken directly after the
Oracle 9i Database Administration I class Controlling Security II.
Completion Time
Estimated time to complete this module is one hour for presentation and one hour for the
lab exercises.
Location of Presentations, Labs, & Examples
All presentations, labs, and examples are located on the Oracle Database Administration
Certified Professional Training CD in the directories and file names as follows.
DBAOCP\LABS\ControlSecurityII.txt Labs
DBAOCP\PPTS\ ControlSecurityII.ppt PowerPoint Presentations
DBAOCP\EXAMPLES\ ControlSecurityII.txt Presentation Examples
DBA_OCP\DOCS\ ControlSecurityII.doc This documentation
DBA_OCP\Install\DBAOCPInstall.txt Script to create the schema for this course.
Scripts to create the schema required for the labs in this module and prior modules are
found on the Database Administration Certified Professional training CD in the directory
DBAOCP\Install\DBAOCPInstall.txt. These scripts should have been executed during
the lab after completing the SQL Query Fundamentals module.
Copyright 2002 © Douglas Wentz, Inc.

Objectives
Administration of Passwords for Users
Password Expiration
Account Locking and UnLocking
Creating Operating System Authenticated Users
Assigning Users to Tablespaces and Quotas
Creating Profiles and Assigning to Users
Auditing
• Introduce advanced password feature of;
o Password Expiration
o Account Locking and Unlocking

• Present the basics of operating system authentication of users.
• Identify how to assign users to tablespaces and quotas.
• Present the concept of profiles and how to assign profiles to

users.
• Learn how to audit database activity.

Administration of Passwords
Oracle
Database
Database Administrator
Creates a User Named User Asks DBA To Create
Marketing An Oracle User
• Overview of creating an Oracle user

• The concepts of Users and Schemas was presented in the module

Relational Database Concepts in the Introduction to Oracle 9i SQL class.
• The term logy User and Schema are used interchangeably. A Schema is
owned by the database User and has the same name as the User. Each
user owns a single User Account / Schema.
• A Schema is a named collection of objects, such as tables, views,
clusters, procedures, and packages. A Schema is created automatically
whenever the database administrator creates a new user. That new user
can create objects in their Schema.
• The database administrator is usually responsible for creating new users.
When the database administrator creates a User Account a Schema is
created automatically with the same name as the User Account.
• The database administrator will usually grant new users certain privileges
with the option of the new user to assign those privileges to others.
• Whenever objects are created under a certain User Account / Schema
that User Account / Schema owns those objects created. Those objects
and associated privileges may be granted by the owner to others if
desired.
• In this class, we have already created a user named Sales.

Creating a New User
CREATE
CREATE USER
USER M arketing IDENTIFIED
Marketing IDENTIFIED By
By ITSOK;
ITSOK;
Example of creating
a new user
• The CREATE USER statement creates a new user

• The CREATE USER statement is a system level privilege that creates a

new Oracle user. The user creating the new user must have CREATE
USER privileges. Generally, a new user is created by the database
administrator.
• The CREATE USER statement only creates a new user. The user cannot
connect to the Oracle database at this time.
• The maximum user name length is 30 bytes long. User names are not
case sensitive.
• Whenever creating a new user an initial password must be assigned. The
maximum password length is 30 bytes long. Passwords are not case
sensitive in Oracle.
• The newly created users name must be unique to other user names and
roles within the Oracle database.
• The new user must be created by a person having the appropriate
permission to create new user.
• The database administrator that creates a new user has many other
options that are assigned to the new user. These options are database
administrator specific and be addressed in detail in this module. Some of
these options includes;

What tablespace the data should be stored in if the user creates

tables.
What tablespace should be used for temporary sorts?
Quota space usage limitations on tablespaces.
If the user should be assigned a profile.
Leave the account locked or unlocked.
Force the user to change their password.
• At this point, a new user is created and a new schema is created at the
same time for that new user.
Example of creating a new user
Example of creating a new user with other options
Note: Remember from the Controlling Security I module the database

administrator must grant additional privileges to the newly created user. Many
times the roles CONNECT or RESOURCE is granted to the new user.

Password Expiration and Locking
CREATE
CREATE USER
USER Marketing
Marketing Identified
Identified By
By ITSOK
ITSOK
Password
Password Expire
Expire Account
Account UnLock;
UnLock;
Password Expire
And
Account UnLock
• Passwords can EXPIRE and accounts can be LOCKED
• Specify the Password Expire clause whenever creating a new user to force the
new user to change their password whenever connecting for the first time.
• The Password Expire extra level of protection will not even let the database
administrator know the password of a user.
• If the Password Expire option is not used whenever creating the new user that
user will not be prompted for a new password.
• Specify the Account Lock option to lock the users account and not let the user
connect to the database.
• Use the Account UnLock option to allow the user to connect to the database
using their UserId and Password. The default is unlocked whenever creating a
new user.
Example of using the Password Expire option and Account Unlock option

Operating System Authentication
Oracle Database Authentication
Method
Oracle
Oracle
Operating
Operating System
System
Remote
RemoteService
Service
• Users can be authenticated using three methods

• An Oracle user can be authenticated at the following three levels.

o By Oracle authentication whenever the password is verified via the
Oracle Data Dictionary. This option was presented in the PowerPoint
presentation slides 4 and 5 and is the most commonly method of
authentication.
o By Operating System authentication whenever the operating system
UserId and Password is assumed to be the same as the Oracle UserId
and Password.
o Steps for Operating System authentication.
Set the Initialization Parameter File parameter
OS_AUTHENT_PREFIX to the default prefix. In prior versions of
Oracle this was set to OPS$. In Oracle 9i it can be set to be a null
value.
Set the Initialization Parameter File parameter

REMOTE_OS_AUTHEN to TRUE. The default is FALSE.
o Whenever implementing Operating System authentication be

extremely cautious since this security method contains many
loop holes.
o By Remote Service authentication. Utilizing this option the user must
be authenticated by the Enterprise Directory Service and the
GLOBALLY clause is used whenever creating the user. This option is
beyond the scope of this class.

Assign Users to Tablespaces
DATABASE
System
TS
Data
Data
Files
Files
Users
TS
Redo
Redo Logs
Logs
Control
Control
Files Temp
Files
TS
• Users are assigned DEFAULT and TEMPORARY tablespaces

• New users should be assigned a Default tablespace and a Temporary

tablespace. Following are the characteristics of each tablespace
assignment.
o Whenever assigning a user to a Default tablespace all objects that
the user creates will go into that Default tablespace.
If a user specifies a tablespace name whenever creating a new object
that option will override the Default tablespace.
If an assignment of a Default tablespace is not given to a user, the

objects created by that user will go into the System tablespace. Objects
going into the System tablespace should not be an option for obvious
reasons.
A users Default tablespace can be changed to a new Default tablespace

by issuing the statement “Alter User UserName Default Tablespace
TablespaceName” Examples will follow. Objects created in the old
tablespace will not be moved. Only new objects will go into the newly
assigned tablespace.
o Whenever assigning an user to a Temporary tablespace that

tablespace will be used for temporary space required by that users
transactions. The most common usage of Temporary tablespace is
for sorts as we should have learned previously.
A Temporary tablespace only needs to be defined if no default temporary
tablespace exists for the database or the database administrator wants
to assign that user to a different tablespace.

A users Temporary tablespace can be changed to a new Temporary

tablespace by issuing the statement “Alter User UserName Temporary
Tablespace TablespaceName” Examples will follow
• New users can be assigned a quota to a tablespace including the Default

tablespace, Temporary tablespaces, or any tablespace the user may be
assigned.
o Quotas are specified on tablespaces to prevent users from using
excessive space.
o Specifying a quota of 0 on a tablespace will not allow the user to
create any new object in that tablespace.
o Only database administrators can change a users quota.
o A quota could be placed on a Temporary tablespace to prevent a
user query from consuming all of the Temporary tablespace they
have been assigned to.
Example of assigning a user to a tablespace and quota whenever creating
the user
Example of changing a users assigned default tablespace
Note: A users default quota is UNLIMITED on any tablespace they have been
assigned to and not assigned a quota.

Creating Profiles
Oracle
Database
Database administrator
Creates a profile and assigns Users Require Certain
To users Resource Privileges
• Users are assigned to PROFILES

• Profiles control the use of system resources by the Oracle 9i database in

relation to users. An example of system resources would be the number
of sessions a users is permitted. A session is one connection to the
Oracle database.
• The database administrator creates profiles and assigns the profile to a
user or users.
• Every user is assigned to the DEFAULT profile if the database
administrator does not assign that user to a profile. The DEFAULT profile
has unlimited resources unless it has been changed by the database
administrator.
• A user can have only one profile in effect at a given time.
• Profiles must be enabled at the database level for all users.
• Profiles can be dropped, created, altered, and assigned to users.
• Profiles are assigned resource limits that control the use of system
resource by the user.
• Not only can individual resource limits of system resources be assign to
users, composite resource limits can be assigned. Composite resources
are a combination of resource limits that reflect a total resource threshold.

Creating Profiles
Session Level Resource Limits Call Level Resource Limits
Sessions_Per_User Logical_Reads_Per_Call
CPU_Per_Session CPU_Per_Call
Logical_Reads_Per_Session
Idle_Time
Connect_Time
Private_SGA
• Available Resource Limits

• Following are the resource limits that can be assigned to profiles.

o Individual resurce limits at the session level.
o Sessions_Per_User - The number of individual sessions that a
given user can open.
o CPU_Per_Session – Maximum permitted CPU time in 1/100
seconds that a user can use in one session.
o Logical_Reads_Per_Session – Maximum number of disk I/O
block reads that can be executed in one session.
o Idle_Time – The amount of time in minutes that a suer can
issued not commands until the user is automatically
disconnected.
o Connect_Time – The maximum amount of time in minutes that
a user can remain connect to the database untill they are
automatically disconnected.
o Private_SGA – The amount of private memory in KB that a user
has in the SGA. This only applies to Shared Server.
o Individual resource limits at the call level
Logical_Reads_Per_Call – The maximum number of disk I/O
blocks that can be executed in any operation within one
session.

CPU_Per_Call – The maximum allowed CPU tome in 1/100

seconds that a user can use in any operation within one
session.
• Composite limits can be included in profiles. Composite limits restrict
database use by specifying a limit of how much of a host machines
resources can be used per session.
o The Composite_Limit resource is set to a value just as any other
resource limits. Please see the Oracle 9i Database Administration
documentation on exact details of setting composite limits.
o Once the user reaches the Composite_Limit the session is
terminated.
• Users are assigned to the DEFAULT profile if they are not assigned to
any other profile. The DEFAULT profile has all resource limits set to
unlimited as illustrated below in the Data Dictionary query on
DBA_Profiles.
Example of the DEFAULT profile and its values

Creating Profiles
Create
Create Profile
Profile Support_Only
Support_Only Limit
Limit
Sessions_Per_User
Sessions_Per_User 33
Idle_Time
Idle_Time 60
60
Connect_Time
Connect_Time 600;
600;
Example of
Creating a
Profile
• Create a PROFILE first

• The first step in assigning users to profiles is to create the profile with its
associated resource limits. The second step is to assign the user to the
profile that will be illustrated on the next PowerPoint presentation.
Example of creating the profile Support_Only
Note: If a resource limit is not included in the creation or modification of a

profile its value will be the default value for that resource limit.
Note: At this point only the profile has been created. No users have been
assigned to the profile.

Creating Profiles
Assigning to Users
Alter
Alter User
User Support
Support
Profile
Profile Support_Only;
Support_Only;
Assign User
Profile
• Assign the user to the PROFILE

• After the profile has been created then users can be assigned the profile.
• Multiple users can be assigned a profile.
• A given user can only have one profile at a given point in time.
• If a profile is taken from the user than that users profile reverts to the
DEFAULT profile if not assigned another profile.
• Only database administrators can create profiles, assign users to profiles,
or take profiles from user accounts.
Example of assigning a profile to a user
Note: Profiles can be assigned to users whenever the Oracle user account is
created. Please refer to the Oracle 9i Database Administration documentation
for details.
Creating Profiles
Altering Profiles
Alter
Alter Profile
Support_Only Limit
Limit
Sessions_Per_User
Sessions_Per_User 30;30;
Alter
Profile
• PROFILES can be altered

• Profiles can be altered.

• If a profile is altered then those changed resource limits are not reflected
immediately in users sessions already connected to the database. After
the user disconnects and re-connect to the Oracle database the new
resource limit for the altered resource limit will be reflected.
Example altering the profile Support_Only
Note: The resource limit Sessions_Per_User is used frequently to prevent users

from connecting multiple times to the Oracle database. Multiple sessions are
used many times in development environments however, in production
environments the number of users session should be limited.

Creating Profiles
Dropping Profiles
Drop
Drop Profile
Support_Only Cascade;
Cascade;
Alter
Profile
• PROFILES can be dropped

• Profiles can be dropped.

• If users have been assigned to that profile the CASCADE option must be
specified whenever dropping the profile. If no users have been assigned
to the profile the CASCADE option is not required.
• Whenever dropping a profile any users assigned to that profile will default
to the DEFAULT profile.
Example of dropping a profile
Note: Remember the DEFAULT profile has all resource limits set to unlimited.
This could be dangerous in some Oracle environments.

Creating Profiles
Enabling Profiles
Alter
Alter System
System Set
Set Resource_Limit
Resource_Limit == True;
True;
Alter
Profile
• PROFILES must be enabled database wide

• Profiles must be activated database wide before they will be enforced for
all users assigned to profiles.
• Profiles can be activated using the following methods.

o As a database administrator issue the command “Alter System Set
Resource_Limit = True”. To reflect the changes any users
currently connected will probably have to disconnect and reconnect
to the Oracle database.
o Set the Resource_Limit in the Initialization Parameter File to
TRUE. The database must be shutdown and then restarted.
Example of activating resource limits

Creating Profiles
Account Management
Failed_Login_Attempts
Password_Life_Time
Password_Reuse_Time
Password_Reuse_Max
Password_Lock_Time
Password_Grace_Time
Password_Verify_Function
• Account management security can be increased
with PROFILES
• Advanced password management can be implemented using profiles.

These features allow greater security and prevent hacking into the Oracle
database by unauthorized users. The following additional password
account management options are provided.
o Failed_Login_Attempts – The number of unsuccessful logins until
the account is locked.
o Password_Life_Time – The number of days a password will remain
active until the user must change the password.
o Password_Reuse_Time – The number of days before the users
password can be reused.
o Password_Reuse_Max – The number of times the users password
must be changed before it can be reused.
o Password_Lock_Time – The number of days after which Oracle will
unlock a users account that has been locked by the
Failed_Login_Attempts.
o Password_Grace_Time – The number of days during which an
expired password must be changed or the users account will be
locked permanently.
o Password_Verify_Function – The function used for password
complexity verification.

Creating Profiles
Account Management
Alter
Alter Profile
Support_Only Limit
Limit
Failed_Login_Attempts
Failed_Login_Attempts 1010
Password_Life_Time
Password_Life_Time 36 365;
5;
Alter
Profile
• Account Management limits and PROFILES

• Above is an example of assigning advanced password management to

profiles. Advanced password management options can also be assigned
to profiles whenever they are initially created.
Example of assigning advance password options to an existing profile.
Note: The script UtlPwdMg.sql can be executed to support the additional

functionality of password management. This script makes some changes to the
DEFAULT profile. When executed all enhanced password managements
defined in the DEFULT profile are enforced.
Note: The default values for the DEFAULT profile can be changed by the
database administrator just as values for other profiles can be changed. This
applies to all options including the enhance password features.

Using the Data Dictionary to

See Profiles and Resources
DBA_PROFILES Shows resource settings for profiles.

Identifies resources in the database
RESOURCE_COST
and their cost.
Shows system resource limits for
USER_RESOURCE_LIMITS
individual users.
DBA_USERS Shows the profile assigned to a user.
• Data Dictionary views and profiles
• Oracle provides a set of Data Dictionary views to query information about

profiles and resources including the following.
o DBA_Profiles – Shows resource settings for all profiles.
o Resource_Cost - Identifies resources in the database and their
cost.
o User_Resource_Limits – Shows system resource limits for
individual users.
o DBA_Users – Shows the profile assigned to a user. A user can
query the Data Dictionary View User_Users to see the profile that
they are assigned to.
Note: For additional information about user and profiles examine the following
Data Dictionary views.
DBA_Password_Limits
Note: A set of Data Dictionary Views beginning with USER_ are also available
in most cases.

Using the Data Dictionary to See

Profiles and Resources
Select
SelectProfile,
Profile, Resource_Name,
Resource_Name, Resource_Type,
Resource_Type, Limit
Limit
From DBA_PROFILES
From DBA_PROFILES
Order
OrderByByProfile;
Profile;
DBA_PROFILES
View
• The data dictionary view DBA_PROFILES

shows profiles and resource usage
• The Data Dictionary View DBA_Profiles show profiles and resource

usages assigned to each profile.
Example of querying DBA_Profiles


Select
Select Resource_Name,
Resource_Name, Unit_Cost
Unit_Cost
From
From RESOURCE_COST;
RESOURCE_COST;
RESOURCE_COST
View
• The data dictionary view RESOURCE_COST

identifies resources and costs
• The Data Dictionary View Resource_Cost identifies resources and their

associated costs. This is only if resource costs have been assigned to
the resources.
Example of querying the Data Dictionary View Resource_Costs
Note: In our example above no resource costs have been assigned.


Select
Select Resource_Name,
Resource_Name, Limit
Limit
From
From USER_RESOURCE_LIMITS;
USER_RESOURCE_LIMITS;
USER_RESOURCE_LIMITS
View
• The data dictionary view USER_RESOURCE_LIMITS

identifies resource costs for individual users
• The Data Dictionary View User_Resource_Limits identifies resource costs

for individual users.
Example of performing a query on the Data Dictionary View
User_Resource_Limits


Select
Select UserName,
UserName, Profile
Profile
From
From DBA_USERS
DBA_USERS
Where
Where UserName
UserName == 'SUPPORT';
'SUPPORT';
DBA_USERS
View
• The data dictionary view DBA_USERS shows users

and assigned profiles
• The Data Dictionary View DBA_Users will show what user is assigned to
what profiles. Remember the Data Dictionary View User_Users will show
what profile the currently connected user is assigned to.
Example of performing a query on the Data Dictionary View DBA_Users

Oracle Enterprise Manager

& Profiles
• Oracle Enterprise Manager can be used to manage profiles

• Oracle Enterprise Manager can be used to manage profiles. The above

illustrates the first screen in managing profiles and shows the profiles.
Oracle Enterprise Manager

& Profiles
• Oracle Enterprise Manager can be used to manage profiles

• Oracle Enterprise Manager can be used to manage profiles. The above

illustrates assigning values to profiles.

Auditing
Database vs. Value Based
Oracle
Database
Auditing
Database Alert Log
Database
Value
ValueBased
Based
• Auditing can be classified as database auditing and value

based auditing
• Auditing is the monitoring and documentation of selected user database

actions and may include the following.
o Investigate suspicious activity.
o Monitor and gather data about specific database activities.
• Two types of auditing are available on the Oracle 9i server including the
following.
o Database Auditing pertains to audits of session activity by a user,
object access by a user, and certain database functions such as
startup and shutdown of the database. We will learn how to
perform database auditing in this module.
o Value Based Auditing pertains strictly to the modification of
application data in the Oracle 9i database. Value based auditing
must be performed by writing triggers and PL/SQL scripts and will
not be addressed in this module or class.
• Certain database administration events are automatically audited by
entries in the alert files for the database. These would include the
following.
o Shutdown and startup of the Oracle database.
o Connections by users with database administration privileges.

Auditing
Classification of Operations
Oracle
Database Auditing Example
Performing
Statement
Statement DDL / DML
Insert
Privilege
Privilege Update
Deletes
Object
Object Accessing Tables
• Auditing can also be classified as Statement, Privilege, and Object
• Database auditing can be classified into three areas including.

o Statement Auditing has to do with the selective auditing of SQL
statements with respect to the type of statement, not the specific
schema objects on which it operates.
o Privilege Auditing has to do with the selective auditing of the use of
system privileges to perform corresponding actions, such as
CREATE INDEX or CREATE TABLE. Privilege auditing is more
focused than statement auditing because it audits only the use of
the targeted privilege.
o Object Auditing has to do with the selective auditing of specific
statements on a particular schema object, such as AUDIT SELECT
ON EMP. Schema object auditing is very focused, auditing only a
specific statement on a specific schema object. .Oracle allows audit
options to be very focused or broad.

Auditing By Focus
Oracle
Database Auditing
By
ByStatement
Statement
By
ByUser
User
By
BySession
Session
By
ByAccess
Access
Whenever
WheneverSucessful
Sucessful
Whenever
WheneverNot
NotSucessful
Sucessful
• Auditing can be by focus

• Auditing options can be focused or very broad including the following.

o Statement – Names the SQL statement(s) to be audited.
o User – Limits auditing of SQL statements to the user(s).
o Session – Limits auditing by writing one audit record for the SQL
statement per session. It does not matter how many of the same
SQL statements are processed.
o Access – Records audit information for each and every time the
SQL statement is processed.
o Whenever Successful – When a certain action is successful.
o Whenever Not Successful – When a certain action is not
successful.

Auditing
Enabling / Disabling
Step 1 Step 2
Run CatAudit Script Add Audit_Trail
To Init
@C:\oracle\ora90\rdbms\admin\cataudit
@C:\oracle\ora90\rdbms\admin\cataudit
• Auditing must be enabled / disabled

• Auditing is not automatically enabled in the Oracle database. The

following actions must be performed by the database administrator to start
the auditing process.
o The script CatAudit.sql must be executed as the SYS owner to
create the tables required for auditing. The script CatNoAudit.sql
should be issued after the auditing is completed to remove the
auditing tables.
o The Audit_Trail parameter in the Initialization Parameter File must
be set to one of the following values.
OS – Enables audit records to be written out to operating
system files. The Initialization Parameter File parameter
AUDIT_FILE_DEST must also be set to specify where the
auditing files should be stored.
DB / TRUE – Enables audit records to be written out to the
SYS.AUD$ table. This table was created whenever the
CatAudit.sql script was executed.
NONE / FALSE – Audit records are not written.
Note: Whenever setting auditing in the Initialization Parameter File the Oracle
database must be shutdown and restarted. The parameter is not dynamic.

Enabling Auditing Examples
Audit
Audit Alter
Alter Any
Any Table
Table
By
By Sales
Sales By
By Access
Access
Whenever
Whenever Successful;
Successful;
Example of Auditing
• Example of auditing
• The above example audits successful attempts by the user Sales to alter
any table.
Example
Note: Some additional auditing options include;
Audit Alter Sales.Companies By Access Whenever Successful;

Audit Alter Sales.Companies By Session Whenever Not Successful;
Audit Alter Sales.Companies by Session Whenever Successful;

Audit
Audit Connect
Connect
By
By Sales
Sales
Whenever
Whenever Not
Not Successful;
Successful;
Example of Auditing
• The above example audits unsuccessful attempts by the user Sales to

connect to the Oracle database.
Example
Note: Some additional auditing options include;
Audit Connect Whenever Not Successful;

Audit Connect Whenever Successful;


Audit
Audit Update,
Update, Delete
Delete
On
On Sales.Companies
Sales.Companies
By
By Access
Access
Whenever
Successful;
Example of Auditing
• Example of auditing all updates and deletes on the Sales.Companies

whenever successful. Many audit records cab be written out for each
session since the audit is by access.
Example

Disabling Auditing Examples

NoAudit
NoAudit Alter
Alter Any
Any Table
Table
By
By Sales
Sales
Whenever
Successful;
Example of Disabling
Auditing
• Example of disabling auditing

• The above example disables the auditing of Sales whenever they

successfully alters any table.
Example


NoAudit
NoAudit Connect
Connect
By
By Sales
Sales
Whenever
Whenever Not
Not Successful;
Successful;
Auditing

• The above example disables the auditing of unsuccessful connections by

the user Sales.
Example


NoAudit
NoAudit Update,
Update, Delete
Delete
on
on Sales.Companies;
Sales.Companies;
Auditing

• The above example disables auditing of updates and deletes on the

Sales.Companies table.
Example

Managing Audit Results
Create
Create Table
Table Audit_Temp
Audit_Temp as
as
Select
Select ** From
From Sys.Aud$
Sys.Aud$
Where
Where TimeStamp
TimeStamp << SysDate
SysDate –– 30;
30;
Delete
Delete From
From Sys.Aud$
Sys.Aud$
Where
Where TimeStamp
TimeStamp << SysDate
SysDate –– 30;
30;
• The Aud$ table must be managed

• Auditing records are placed in the Aud$ table in the System account. This
table has the possibility of becoming quite large depending on the auditing
activity initiated. Additionally, the Aud$ will probably be located in the
System Tablespace which may cause additional storage issues.
• The database administrator must periodically archive / delete records in
the Aud$ table.
• The following steps offers one method of managing the Aud$ table.
o Connect to the Oracle database as SYS. This should only be one of the few
circumstances that the database administrator should connect to the SYS
account.
o Create another table with the records from the Aud$ table. The new table should
go into a different tablespace if possible.
o Delete the original records in the Aud$ table.
• Another method of managing the Aud$ would be to Export the table and
then delete the rows in the Aud$ table. The Export / Import utility will be
presented in the Oracle 9i Database Administration II class.
• Records can be deleted from the audit trail by the user SYS or any user
with DELETE ANY TABLE privilege.
Note: If auditing user connections and the Aud$ table causes the System Tablespace to
fill additional users connecting to the database may not be able to connect. The
database administrator will probably have to add additional space to the tablespace and
clear the Aud$ table.
Viewing Enabled Auditing Options
DBA_Obj_Audit_Opts Auditing options for database objects.
DBA_Priv_Audit_Opts Auditing options for all privileges.
DBA_Stmt_Audit_Opts Auditing options for all statements.
All_Def_Audit_Opts Default options for auditing objects.
• Enable auditing options can be viewed

• Auditing options enable can be viewed by utilizing several Data Dictionary

Views including the following.
o DBA_Obj_Audit_Opts – Shows auditing options enabled for
database objects such as indexes and tables.
o DBA_Priv_Audit_Opts – Shows auditing options enabled for all
privileges.
o DBA_Stmt_Audit_Opts – Shows auditing options enabled for all
statements.
o All_Def_Audit_Opts – Shows default options for auditing objects.

Viewing Enable Auditing Options

Select
Select Owner,
Owner, Object_Name,
Object_Name, Object_Type
Object_Type
From
From DBA_OBJ_AUDIT_OPTS
DBA_OBJ_AUDIT_OPTS
Where
Where Owner
Owner == 'SALES'
'SALES'
DBA_OBJ_AUDIT_OPTS
View
• The Data Dictionary view DBA_OBJ_AUDIT_OPTS

• The Data Dictionary View DBA_Obj_Audit_Options shows auditing options

enabled for database objects such as indexes and tables.
Example performing a query on the Data Dictionary View
DBA_Obj_Audit_Options
Note: It is recommend to perform queries on the other Data Dictionary Views

that shows auditing options.

Viewing Enabled Auditing Results
Audit entries by the exists

DBA_Audit_Exists
option.
DBA_Audit_Object Audit entries for object audits.
Audit entries by session

DBA_Audit_Session
connects and disconnects
Audit entries generated by
DBA_Audit_Statement
statement options.
DBA_Audit_Trail All entries in the Aud$ table.
• Enable auditing options can be viewed

• The following Data Dictionary Views can be used to view auditing results.
o DBA_Audit_Exists – Audit entries by the exists option.
o DBA_Audit_Object – Audit entries for object audits such as tables
and indexes.
o DBA_Audit_Session – Audit entries by session connects and
disconnects.
o DBA_Audit_Statement – Audit entries generated by statement
options.
o DBA_Audit_Trail – All entries in the Aud$ table.

Viewing Enabled Auditing Results

Select
Select UserName,
UserName, Obj_Name,
Obj_Name,
Action_Name,
Action_Name, ReturnCode
ReturnCode
From
From DBA_AUDIT_OBJECT;
DBA_AUDIT_OBJECT;
DBA_AUDIT_OBJECT
View
• The Data Dictionary view DBA_AUDIT_OBJECT

• The Data Dictionary View DBA_Audit_Object shows audit entries for

object audits such as tables and indexes.
Example of querying the Data Dictionary View DBA_Audit_Objects.
Note: It is recommend to perform queries on the other Data Dictionary Views

that shows audit entries.

Auditing Guidelines
Evaluate purpose for auditing

Audit very conservatively
Only set specific actions to audit
Protect the audit trail
Archive and purge the audit trail
• Adhere to auditing recommendations

• The following auditing guidelines should be followed.

o Evaluate the purpose for auditing. Do not audit unless it is
absolutely necessary. Auditing causes additional overhead on the
Oracle database and additional work load for database
administrators.
o Audit very conservatively. Do not audit just for the sake of
auditing.
o Only set specific actions to audit. Do not produce information
overload in the Aud$ table. Too much auditing defeats the purpose
of auditing.
o Protect the audit trail. If writing audit files to the operating system
be sure to protect the audit file. If auditing information is going to
the Aud$ table it should be protected since it is in the SYS account.
If copying the Aud$ to a different table be sure to protect that table.
o Archive and purge the audit trail. The Aud$ table has the potential
of becoming very large. Always purge the audit trail on a regular
bases.

Oracle Certified Professional Test Questions

1. As a database administrator you just changed a resource limit that was
assigned to a profile named Sales_Reps . This profile was assigned to
the Oracle user account Dwentz. What should the database administrator
do so the new resource limit for the changed profile Sales_Reps is
reflected for the user Dwentz?
a. Shutdown and restart the Oracle database.

b. Have the user Dwentz disconnect and reconnect.
b. Do nothing since the new resource limit will be immediately reflected for
the user account Dwentz.
c. The user account Dwentz will revert to the DEFAULT profile until the user
Dwentz disconnects and reconnects to the database.
2. If a user is not assigned a profile right after the user account was created
what will the value of the resource limit Sessions_Per_User be?
a. Unlimited
b. 99999999
c. The user will not be able to connect since the user account has not been
assigned a profile.
d. 1
3. Which of the following is not a valid resource limit whenever creating

profiles?
a. Sessions_Per_User
b. CPU_Per_Session
c. Logical_Reads_Per_Session
d. Password_Timeout
e. Private_SGA
4. As a database administrator you wish to prevent a user from accessing

their Oracle user account. What would be the best method of preventing a
user from accessing their user account?
a. Limit the number of times the user can connect to Oracle by assigning
them to a profile that has Sessions_Per_User set to 0.
b. Remove the users account completely.
c. Lock the users account.
d. Assign the user to the DEFAULT profile.
5. To limit the total resource costs of a user session what resource limit
should be assigned to a profile that that user has been assigned to?
a. Composite_Limit
b. CPU_Per_Session
c. CPU_Per_Call
d. Logical_Reads_Per_Session

e. Logical_Reads_Per_Call
6. As a database administrator you want to find out what profile each user is
assigned to. What Data Dictionary view would you perform a query on?
a. User_Users
b. DBA_Profiles
c. DBA_Users
d. User_Profiles
7. To see only what roles are assigned to other roles what data dictionary
view would be utilized?
a. USER_ROLE_PRIVS
b. ROLE_SYS_PRIVS
c. ROLE_TAB_PRIVS
d. ROLE_ROLE_PRIVS
e. Can not be accomplished using the data dictionary.
8. As a database administrator you are receiving calls that users are hanging
whenever attempting to connect to the database. Auditing for successful
and unsuccessful connections for all user is currently active. Which of the
following is a likely reason for the users problem whenever attempting to
connect to the database.
a. The user has issued the incorrect userid and password.
b. The users account has been locked.
c. The Temp tablespace has become full
d. The Aud$ tables has caused the System tablespace to become full.
9. To enable auditing to the Aud$ table the Audit_Trail Initialization
Parameter must be set to?
a. DB
b. FALSE
c. OS
d. NONE
10. Which of the following is not a good reason to audit whenever

implementing the Aud$ table method.
a. You wish to audit every unsuccessful login attempt.
b. You wish to know whenever the Oracle database was shutdown
and restarted.
c. You wish to know whenever a particular table in a certain schema
was dropped.
d. You wish to know whenever a user grants a table to another user.

Lab Exercises
.
1. Create a new user and force that new user to change their password
whenever connecting for the first time. Be sure to grant the new user
appropriate privileges so they can connect to the database.
2. Set the user created in Lab Exercise # 1 to the following tablespaces and
quotas;
Default Tablespace Users Quota 5m
Temporary Tablespace Temp Quota 2m
3. Create a profile named Sales_Reps and assign the profile to the user created
in Lab Exercise #1. The profile should have the following resource limits;
Sessions_Per_User 1
Connect_Time 60
Password_Resuse_Time 90
Remember that resource limits must be enabled for them to work.
Attempt to connect to the user account created in Lab Exercise # 1 more than
one time. What happened and why?
4. Enable auditing and audit the user created in Lab Exercise #1 for the
following;
Every time the user successfully connects to the database.
The first time in each session that the user attempts to create a new table.
Verify that audit records was written to the Aud$ table.
Be sure to disable auditing however do not remove the Aud$ table.
5. Drop the Profile Sales_Reps created in Lab Exercise # 3 above.
6. Drop the user created in Lab Exercise # 1 above.
7. Remove the Aud$ table and disable auditing.

Oracle Certified Professional Test Questions – Answers

1. b
2. a
3. d
4. c
5. a
6. c
7. d
8. d
9. a
10. b

Lab Exercise - Answers
Lab exercise 1
Lab exercise 2

Lab exercise 3
You should only be able to connect one time since the Sessions_Per_User was
set to one.
Lab exercise 4
You must shutdown the Oracle database and place Audit_Trail = OS in the
Initialization Parameter File.
The script CatAudit.sql must be executed as SYS. This is not illustrated.

Attempt to connect as the user created in Lab Exercise # 1 above several times.
Lab Exercise 5

Lab Exercise 6
Lab Exercise 7
Run the script CatNoAudit.sql to remove the Aud$ table
Remove the Audit_Trail entry in the Initialization Parameter File or set it to
NONE. Shutdown and restart the database.

Primavera Database Auditing

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Primavera Database Auditing

Hochgeladen von

Copyright:

Verfügbare Formate

Controlling Security II Module (P) Page 1 of 49

Copyright 2001 © Douglas Wentz, Inc. 1

Copyright 2002 © Douglas Wentz, Inc.

Copyright 2001 © Douglas Wentz, Inc. 2

• Introduce advanced password feature of;

o Account Locking and Unlocking

• Present the concept of profiles and how to assign profiles to

• Learn how to audit database activity.

Copyright 2002 © Douglas Wentz, Inc.

• Overview of creating an Oracle user

• The concepts of Users and Schemas was presented in the module

Copyright 2002 © Douglas Wentz, Inc.

• The CREATE USER statement creates a new user

• The CREATE USER statement is a system level privilege that creates a

Copyright 2002 © Douglas Wentz, Inc.

What tablespace the data should be stored in if the user creates

Example of creating a new user with other options

Note: Remember from the Controlling Security I module the database

Copyright 2002 © Douglas Wentz, Inc.

• Passwords can EXPIRE and accounts can be LOCKED

Copyright 2001 © Douglas Wentz, Inc. 5

Copyright 2002 © Douglas Wentz, Inc.

• Users can be authenticated using three methods

• An Oracle user can be authenticated at the following three levels.

Set the Initialization Parameter File parameter

o Whenever implementing Operating System authentication be

Copyright 2002 © Douglas Wentz, Inc.

Assign Users to Tablespaces

• Users are assigned DEFAULT and TEMPORARY tablespaces

• New users should be assigned a Default tablespace and a Temporary

If an assignment of a Default tablespace is not given to a user, the

A users Default tablespace can be changed to a new Default tablespace

o Whenever assigning an user to a Temporary tablespace that

Copyright 2002 © Douglas Wentz, Inc.

A users Temporary tablespace can be changed to a new Temporary

• New users can be assigned a quota to a tablespace including the Default

Example of changing a users assigned default tablespace

Copyright 2002 © Douglas Wentz, Inc.

• Users are assigned to PROFILES

• Profiles control the use of system resources by the Oracle 9i database in

Copyright 2002 © Douglas Wentz, Inc.

• Available Resource Limits

• Following are the resource limits that can be assigned to profiles.

Copyright 2002 © Douglas Wentz, Inc.

CPU_Per_Call – The maximum allowed CPU tome in 1/100

Copyright 2002 © Douglas Wentz, Inc.

• Create a PROFILE first

Note: If a resource limit is not included in the creation or modification of a

Copyright 2002 © Douglas Wentz, Inc.

• Assign the user to the PROFILE

• PROFILES can be altered

• Profiles can be altered.

Note: The resource limit Sessions_Per_User is used frequently to prevent users

Copyright 2002 © Douglas Wentz, Inc.

• PROFILES can be dropped

• Profiles can be dropped.

Example of dropping a profile

Copyright 2002 © Douglas Wentz, Inc.

• PROFILES must be enabled database wide

• Profiles can be activated using the following methods.

Copyright 2002 © Douglas Wentz, Inc.

• Advanced password management can be implemented using profiles.

Copyright 2002 © Douglas Wentz, Inc.

• Account Management limits and PROFILES